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Abstract — Truly random number generators are essential secu- 
rity tools in cryptosystems. Recently, chaotic-map truly random 
number generators (TRNGs) have received a great deal of 
attention due to their high speed, low power consumption, and 
integrability. In this paper, we present a hidden Markov modeling 
for chaotic-map TRNGs that can be used to evaluate the bit- 
generation process under process variations as well as to analyze 
the efficiency of post-processing units on such TRNGs. 

Index Terms — Truly Random Number Generator (TRNG); 
Information Theory; Chaos; Hidden Markov Process (HMP). 

I. Introduction 

CHAOS is the long-term non-predictive behavior observed 
in certain nonlinear dynamical systems due to the sensi- 
tivity of the output trajectory to the initial conditions. Although 
chaotic systems are deterministic and can be described using 
simple differential equations, their output trajectory can only 
be determined given the exact initial state of the system. 
However, in practice, the initial state of the system is only 
known with uncertainty due to the random environmental 
noise. Therefore, the perturbations in the system grow expo- 
nentially and lead to the non-predictive behavior JTJ. 

One natural application for the non-predictive behavior of 
the chaotic systems is in the generation of a truly random bit 
sequence. Truly random numbers are required in public key 
cryptography as well as digital signature schemes as essential 
tools for data protection [2|. A truly random number generator 
requires a never-ending source of entropy (randomness). This 
can be supplied by the inherent natural noise in the analog cir- 
cuitry |[3)-||6). One of the most prominent solutions for random 
number generation is based on the chaotic maps (cf. ll7ll-ll9lD. 
A chaotic-map TRNG operates based on the amplification of 
the inherent noise in a chaotic map function by feeding the 
output back into the map in each time step [9|. Then, the 
map output is transformed into a binary random variable using 
a bit generation function. These systems are fast and easily 
integrable, and hence, interesting in practice. 

An ideal chaotic-map TRNG system should be capable of 
generating a truly random bit sequence. A truly random binary 
sequence consists of independent and equiprobable output 
symbols. Thus, the entropy-rate of a truly random binary 
sequence is equal to 1 bit per each bit [ 10]. On the other hand, 
due to the process variations, there is an inevitable correlation 
in the generated output bits. One important question is how 
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much performance degradation is expected given a non-ideal 
implementation of a TRNG circuit. The degraded performance 
due to the correlations necessitates the utilization of a post- 
processing unit for the recovery of the randomness in the bit 
sequence by decreasing the output bit-rate (cf. ifTTl . ifTSlO . 
However, all of such practical post-processing algorithms 
process the data blindly, i.e., without regard to the nature 
of the non-ideality that causes the correlation in the binary 
sequence. Hence, these algorithms do not necessarily produce 
truly random bits and also are not necessarily optimal in the 
sense that they achieve the highest possible bit rate. 

In (9), the authors presented a mathematical analysis of 
the Bernoulli shift map TRNG. In this paper, we describe 
the shortcomings of the model in J5] and present a more 
comprehensive model. Our contributions are as follows: 

> We present a hidden Markov modeling for chaotic-map 
TRNGs. 

• We derive the theoretical fundamental limits of the bit- 
generation process for a general chaotic-map TRNG. 

• We provide the theoretical fundamental limits of the 
performance of the post-processing units and compare 
with the performance of the well-known post-processing 
algorithms in IfTTl. fl2l. 

The rest of this paper is organized as follows. In Sec. |IIJ we 
present a brief review of the chaotic-map TRNGs. In Sec. [TTT| 
we investigate the statistical properties of the bit-generation 
process. In Sec. IIV1 we present the fundamental performance 
limits of TRNGs and post-processing units. In Section [Vl we 
elaborate on the significance of our results. Finally, Section [VTl 
concludes this paper. 

II. Background Review 

A. Discrete-Time Chaotic Maps 

Discrete-Time chaotic maps are discrete-time nonlinear dy- 
namical systems that exhibit chaotic behaviors. A discrete- 
time map is defined using a transformation function M(x) : 
(0,1) — > (0,1). The output of the map function is iterated 
by feeding back the output of the previous time-step as the 
input of the current time-step. That is x n = M(x n -i) = 
M n - 1 (x ), where M' l {x ) = M(M l ~ 1 (x )), n is the time 
step, xq is the initial state of the system, and x n is the state 
of the system at time n. It is straightforward to show that 
the sequence {x n } forms a Markov process (TJ. Let /«.(•) 
denote the probability distribution function of the chaotic 
map at time n. Due to the Markov property, the probability 
distribution at time (n + 1) is related to that of time n 
through the linear Frobenius-Perron operator P as given by 
fn(x) = Pf n -i(x). Please note that if the initial state of this 
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For the case of the Bernoulli shift map, a TRNG will be 
formed using the pair (MB er , £>Ber), where £>B er is defined as 
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Fig. 1. The Bernoulli shift map. 

deterministic system (i.e., xq) follows a degenerate probability 
distribution (i.e., is exactly known), the output behavior can 
be exactly predicted. On the other hand, if xq follows a 
non-discrete probability distribution /o(x) over (0,1) as a 
result of random perturbations, the corresponding Markov 
chain will be ergodic. Hence, the probability distribution /„ (x) 
asymptotically approaches a fixed steady-state distribution 
as n —} oo. Let foo(x) denote the respective steady-state 
probability distribution. It is straightforward to verify that 
foo(x) satisfies f^x) = P/ 00 (x). 

Next, we present a brief review of the Bernoulli shift map, 
which is widely used for truly random number generation. 
As shown in Fig. [T] the Bernoulli shift map is a piecewise 
linear function that exhibits chaotic behavior. The Bernoulli 
map function is given by 

m *^={T x -i §<:<! • 

Its Frobenius-Perron operator P is implicitly given by 

f n (x)=Pf n . 1 (x) = \{U-x (f Q + f )}• (2) 

It is straightforward to show that foo(x) = 1 is a solution to 
/oo = Pfoo, and hence, the steady-state probability distribu- 
tion is a uniform distribution over (0,1). 

B. Discrete-Time Chaotic TRNGs 

Next, we present random number generators that operate 
based on a chaotic map. A random number generator is defined 
by the pair (M, B) where M : (0,1) -> (0,1) is the map 
function and B : (0, 1) — > {0, 1} is the bit-generation function. 
Let the output binary sequence be denoted by {z n }, where 
z n = B(x n -i). Note that in a TRNG, only the sequence {z n } 
is available to the user and the actual state of the system x n is 
not known to the user. Thus, it is reasonable to assume that the 
initial state of the system follows the steady-state distribution, 
i.e., Xq follows /ooljThis assumption makes sense in practice 
where no prior knowledge about xq is available to the user. As 
a result of this assumption, the output sequence {x n } of the 
TRNG forms a stationary Markov process. Further, since the 
user does not have access to the state of the chaotic map (the 
user only observes the binary sequence {z n }), the sequence 
{z n } by definition forms a hidden Markov process lfl3l . A 
hidden Markov process is a random process whose outcomes 
are functions of a Markov process. 

1 In this paper we use the upper case letter to denote a random variable and 
the lower case letter to denote a realization of the random variable. 
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where [x\ denotes the greatest integer less than or equal to 
x. In other words, the output is z n — if x n -i < 1/2 and 
z n = 1 if x n -\ > 1/2. It is straightforward to verify that the 
bits generated from the Bernoulli shift map TRNG are iid and 
equally or 1. This is due to the fact that given Z n , X n is 
independent of X n -%, In fact X n follows the uniform steady- 
state distribution given Z n . Hence Z n+ i is also independent 
of Z n and the generated bit sequence is truly random. In 
other words, we can show that P[z„|z n_1 ] = P[z n ] = i@ 
This simple analysis reveals that the bit generation from the 
Bernoulli shift map is a memoryless process. 

In 0, the authors presented a first-order Markov model 
for the Bernoulli shift map. Since the hidden Markov bit- 
generation process does not generally yield to a Markov 
process, the model in (9) is not capable of explaining the bit- 
generation process for a general chaotic map. Thus, while the 
model applies to the Bernoulli shift map, it is even incapable 
of explaining a slightly non-ideal map. Further note that 
the hidden Markov processes are much more complicated to 
analyze as compared to the Markov processes lfl3ll . and hence, 
an in-depth study of the bit-generation process is non-trivial. 

III. Statistical Properties of Bit-Generation 

In this section, we theoretically investigate the bit- 
generation process from a discrete-time chaotic map, where 
nonidealities are present. Let N(x) denote the number of solu- 
tions to the equation M(u) — x. Further, let 1*1,1*2, ...,u^m 
be the N(x) solutions. For example, it is seen that in the 
Bernoulli map we have N(x) = 2 for all x £ (0, 1). 
The Frobenius-Perron operator for the chaotic map is then 
expressed as 



JV(x) 



fn(x) = Pfn-l(x) = 



1 



\M'( Ui ) 



/n-lK), (4) 



where M'(uj) is the derivative of the map function M at itj. 

In order to clarify the discussions, we will consider the 
example map function shown in Fig. |2(a)| Note that, however, 
the framework is generic and is applicable to any chaotic map. 
The example map function M ex is 

x n = M ex (x n ^i) = log 2 (l + 3x„_i)-|_log 2 (l-t-3:E n _i)J. (5) 

Further, let the bit generation function for the example map 
be chosen to be 



(6) 



Thus, z n = 1 (z n = 0) whenever the input is x n > 4 (x n < 
■|), as shown by the vertical dashed line in the figure. It is 
easily seen that there are exactly two solutions to M(u) = x 
for all x in the example map (except at the break-points). Note 

2 For any i < j, we define = (z, , Zi+i . . . , Zj) as the sequence of all 
binary outputs from time i to time j. We further denote z J = z\. 
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Fig. 2. (a) The sample map. (b) Steady-state probability distribution, (c) Conditional entropy. 
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that this need not be the case in a general map. For example, 
at x — 0.4, the steady-state distribution is dependent on the 
steady-state distribution at points ux and 112 as shown in the 
figure. The solution to the steady-state probability distribution 
for the example map is illustrated in Fig. |2(b)| The first thing 
we can easily observe is that and 1 are not equiprobable, 
which indicates that the generated bit sequence cannot be truly 
random. 

As discussed earlier, the generated bit sequence {z n } is 
related to the output sequence {x n } of the chaotic map through 
z n = B(x n -i), We further assume that the initial value of 
the chaotic map, i.e., xq, follows the steady-state distribution. 
Note that this assumption is valid as long as we have no prior 
knowledge about the outputs of the random number generator. 
Further, let the set S n (z n ) C (0, 1) be defined as follows. 

B(x ) = zi 
B(xi) = z 2 



S n {z r > 



•i-0 



where 



for all < j < 



(7) 

n — 1 denotes the state of the 



system at time j. Note that all states [x\, . . . , x n ) are exactly 
determined if the initial state xq is known. In other words, 
S n {z n ) is the set of all initial points xq for which the first 
n generated bits are given by the bit sequence z n . Thus, if 
S n (z n ) is known, we can find the probability of the event that 
the sequence z n is generated, as given by 

P[z n ] = [ foc(x)dx. (8) 

JxeS n (z n ) 

As a special case, Si(zi) = {xo\B(xq) = zi} is the set of 
all points in the map that generate the output bit z\ (either or 
1). This is indeed given by the definition of the bit-generation 
function. Accordingly, we can calculate the probability of the 
event that z\ is generated by P[zi] = J xe s 1 t zi \ foo(x)dx. This 
calculation leads to obtaining the widely used measure for the 
randomness of a binary sequence, which is the bias b, defined 
as 



P[0] - \ 



PW-i 



(9) 



The bias is a measure of the closeness of the average number 
of l's in the sequence to the desired value of ~. In the case 
where the generated bits in the output sequence are known 
to be independent, bias is the only determining factor for 
the randomness of the sequence, where a zero bias (6 = 0) 
indicates that the binary sequence is in fact truly random. On 
the other hand, as we shall see shortly, the hidden Markov 



x g S k (z k ) 



(10) 



process defined here in general entails correlation between the 
bits in the sequence. In other words, the outputs Z\ and Z n 
are correlated for all n > 1, i.e., the knowledge of z\ will 
provide partial information about whether z n is or 1. 

To clarify, we again consider the example map in Fig. |2(a)| 
Here, by definition of £> ex , we have <Si(0) = (0, |), and 
S\(l) = (g, 1)- Accordingly, we can determine P[0] = 0.14, 
P[l] = 0.86, and the bias to be b = 0.36. 

As described above, we need to determine S n (z n ) in 
order to calculate P[z™]. Next, we will describe a recursive 
algorithm for determining S n (z n ). Let assume that Sk(z k ) is 
known for all possible 2 fc binary sequences z k . Then, we have 

x e Si(zi) 

X X G S k -i{z k ) ' 
where xx = M(xq). Thus, Sk{z k ) can be redefined as 

S k (z k ) = {x Q G Sx(zx)\M(x ) G S fe _i(4)}. (11) 
Thus, Sk is obtained recursively using Sk-x- 

IV. Fundamental Performance Limits 

In this section, we present the fundamental performance lim- 
its of bit-generation and post-processing processes in TRNGs. 
Although bias is an important and widely used measure for 
the performance of the TRNGs, we shall demonstrate shortly 
that the higher order statistics of the binary sequence could 
play a more important role. 

In our development, we will derive the entropy-rate of 
the bit-generation process. Since chaotic-map TRNGs are 
governed by a hidden Markov process, no closed form solution 
exists for the entropy -rate in general [13"]. Thus, we need an 
approximate solution. Let the entropy of the sequence z n be 
defined as 1 10 1 

H(Z-)= E P ^ lo &(p^r)- (12) 

z"G{04}" 

Let H(Z n \Z n ^ 1 ) denote the conditional entropy of the ran- 
dom symbol Z n given the latest n — 1 symbols (i.e., Z n ~ 1 ). 
That is El 



HiZnlZ 71 - 1 ) = H{Z n ) - HiZ 11 - 1 ). 



(13) 



It is straightforward to show that H(Z n \Z n ~ 1 ) is a mono- 
tonically decreasing function of n, and hence, H{Z n \Z n ^ 1 ) 
converges to a fixed value H called the entropy-rate of the 
generated binary sequence as given by 

H= lim H(Z n \Z n - 1 )= lim -H{Z n ). (14) 
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Note that since {Z n } comes from a hidden Markov process 
in the case of chaotic-map TRNGs, the rate of convergence of 
H[Z n \Z n ~ l ) to the entropy-rate H is exponential in n 0~3). 

Let a post-processing unit be defined as a code that inputs 
a random binary sequence z n and outputs another random 
sequence denoted by t k . Let V n ,k ■ {0, 1}" -)• {0, l} k denote 
the deterministic post-processing function. Further, let R = — 
denote the post-processing rate. Please note that for any n, 
the output rate of the post-processing unit can take (n + 1) 
discrete values of {0, ~, . . . , 1} based on the value of k. 

Definition 1 We say that the post-processing function V n ,k 
is asymptotically truly random if for a fixed R, we have 
lim^oo \H (T k ) = 1. 

Intuitively, a truly random post-processing unit is one that 
asymptotically for large n turns the input sequence to a nearly 
truly random bit sequence. 

Next, we will present our main results that determine the 
fundamental performance limits of the TRNGs. 

Theorem 1 If R > H, then any post-processing function V n ,k 
is not asymptotically truly random. 

Proof: According to the data processing theorem [10], we 
have H(T k ) < H(Z n ). Hence, 

lim yH(T k ) < lim \n(Z n ) = — < 1, (15) 

fc— >oo k fc->oo k R 

and the proof is completed. ■ 
Roughly speaking, Theorem Q] states that in order to turn 
the output bits of the TRNG to a truly random sequence we 
have to decrease the rate by a factor H. 

Theorem 2 For any rate R < H, there exists a post- 
processing function V n .k that is asymptotically truly random. 

Proof: The proof builds upon the idea of universal 
source coding and the asymptotic equipartition property 1101 . 
Let denote the typical set with respect to P[Z n ] as 

defined in flOl . Then, using the Shannon-McMillan-Breiman 
theorem fl4l . we can show that P[Z n e A { J l) ] > 1 - e and 
\A { e n) \ < 2™( ff+e ) for sufficiently large n flU. In other words, 
any sequence of length n, with probability at least (1 — e), 
is contained in the typical set whose size is no larger than 
2 n(H+e)^ L et k = n(H + e). Then, Vz™ £ A^ ] , denote t k (z n ) 
as the unique sequence number of the sequence z n in the 
typical set. The post-processing operates as follows. 



V n , k {z n ) 



t k (z n ) ifz n eA, 



(n) 



otherwise 



(16) 



where k denotes the all-zero sequence of length k. Hence, the 
post-processing rate is asymptotically r = lirrin^oo ^ — H . 
Further, we have jH(T k ) > 1 — jj by definition, and hence, 
linifc^oo jH(T k ) = 1 as desired. ■ 
Theorem [2] states that we can design a truly random post- 
processing unit for any rate R that is smaller than the entropy- 
rate. Thus, the optimal rate of the post-processing unit is 
asymptotically equal to H. However, Theorem|2]does not state 



anything about the complexity of such a post-processing unit. 
The tools developed in this paper are expected to pave the way 
for exploring such trade-offs. Again, considering the example 
map in Fig. |2(a)| the entropy-rate can be shown to be ~ 0.57 
(Fig. |2(c)| i. Therefore, at least 43% of the generated bits must 
be discarded in the post-processing if truly random bits are to 
be generated using the discrete-time chaotic map. 

V. Significance of the Results 

The main results of this paper (which are the evaluation 
of the bit-generation process and evaluation of the post- 
processing units) can be used as design constraints in the 
system-level as well as circuit-level optimization of chaotic- 
map truly random number generators and post-processing 
units. Although the entropy calculation is exponential in n 
(the sequence length), as described in the previous section, 
the convergence is exponentially fast and the convergence is 
achieved for very short sequences. The entropy-rate of several 
Monte Carlo samples from a chaotic map can be calculated so 
as to evaluate the performance of the design in the presence 
of process variations and determine the effectiveness of post- 
processing algorithms. 

A. Post-processing 

Due to imperfections in practice, the output bits of a TRNG 
are almost always correlated. This calls for the post-processing 
of the data to remove the correlations, i.e., the bias and the 
higher order dependencies. Von-Neumann is a widely used 
algorithm, which has proven to be effective in the removal 
of the bias and correlation. In Von-Neumann algorithm, the 
sequence is divided into the blocks of length two. Then, 01 
and 10 are mapped to and 1, respectively, while 00 and 
11 are discarded. The Von-Neumann algorithm is, therefore, 
variable bit-rate depending on the statistical characteristics of 
the original sequence. Using the analysis in this paper, the 
Von-Neumann post-processing rate is readily derived to be 
-Rvon-Neumann = \ (P [01] +P [10] ). Further, if a truly random bit 
sequence is fed into the Von-Neumann algorithm, the output 
rate is only i, and hence, the Von-Neumann post-processing is 
not optimal-rate0 For the example map of Fig. |2(a)| we have 
P[01] w 0.11 and P[10] « 0.11. Thus, the output sequence 
of Von-Neumann post-processing is nearly unbiased while the 
post-processing rate R w 0.11 is much less than the entropy- 
rate of H ps 0.57. Finally, the Von-Neumann algorithm does 
not guarantee the truly randomness of the output bit sequence 
due to higher order dependencies. 

Next, we also consider the post-processing unit by Addabbo 
et. al. |[T2l . The authors provide a post-processing unit that 
results in the generation of bits that pass randomness statistical 
tests when H « 1. However, in their design, the post- 
processing rate is equal to one, i.e., i?Addabbo = 1. Therefore, 
according to Theorem[T] this post-processing in essence cannot 
generate a truly random sequence unless the input bit-stream 
is truly random in the first place. Further, if applied on the 
example map (or any other map with small entropy), this post- 
processing will perform very poorly. 



lim„ 



3 A post-processing function V n k is asymptotically optimal-rate if we have 
— = H. 
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Fig. 3. The dashed red curves correspond to the tailed tent map. The solid blue curves correspond to the increased slope Bernoulli shift map. (a) Tailed tent 
map function: Afxaiied-TentM (dashed red curve) and increased slope Bernoulli shift map function: iWBer-2.2(^) (solid blue curve), (b) Steady-state probability 
distribution, (c) Conditional entropy. 



B. Performance of Practical TRNGs 

To proceed, we utilize the developed methodology in order 
to evaluate the performance of two practical chaotic maps. 
As the first example, we consider tent map based TRNGs 
(cf. IT310 . Tent map is a chaotic map with very similar 
characteristics to those of the Bernoulli map studied in Sec. HI] 
However, the circuit implementation of the tent map suffers 
from the saturation problem, where the output can be saturated 
in a point due to implementation variations fl5l . Ifl6l . In fl6l . 
the authors presented a tailed tent map (the dashed red curve 
demonstrated in Fig. |3(a)| > that resolves the saturation problem. 
The tailed tent map has been proven to have a uniform steady- 
state distribution, as shown in Fig. |3(b)| The tailed tent map 
along with the bit-generation function £>T a ii e d-Tent(^) = L^+^J 
can result in a random number generator. The question is how 
good is the performance of this RNG. First thing to note is that 
the output bit stream is unbiased due to the uniform steady- 
state distribution. However, the conditional entropy converges 
to a value of H w 0.54 (Fig. |3(c)| i. Therefore, despite the 
uniform steady-state distribution and unbiased bit sequence, at 
least 46% of the generated bits need to be discarded in order to 
be able to obtain a truly random bit sequence. This shows that 
neither the unbiasedness of the output bits nor the uniformity 
of the steady-state distribution are appropriate measures for 
the performance evaluation of chaotic-map TRNGs. 

In (9), authors proposed an ADC-based implementation for 
the Bernoulli shift map. Using the developed framework, we 
would like to show that the output bit stream is robust to slope 
variations. Let consider the Bernoulli shift map with slope 
increased to 2.2 (instead of 2), as shown by the solid blue 
curve in Fig. |3(a) The corresponding steady-state distribution 
3(b)| which is clearly not uniform. In this 
generation process be such that the first 
breakpoint of the system is the threshold for the generation 
of and 1, i.e., £>Ber-2.2(aO = + TlJ- Clearly, the output bit 
sequence will be biased with b w 0.04. Although the steady- 
state distribution is not uniform and the output sequence is 
biased, the investigation of the entropy-rate reveals that we 
have H w 0.99 (Fig. |3(c)) . Hence, it is possible to obtain truly 
random bits from this map with a slight ~ 1% decrease in the 
bit-generation rate. Furthermore, if Addabbo's post-processing 
is applied, the generated bit sequence is almost truly random. 

VI. Conclusion 

In this paper, we presented a hidden Markov modeling 
for discrete-time chaotic-map truly random number generators 



is shown in Fig. 
case, let the bit 



(chaotic-map TRNGs). We proved that the entropy-rate is the 
fundamental performance limit of the the bit-generation pro- 
cess from a given map. We concluded that unbiasedness of the 
generated bits and the uniformity of steady-state distribution 
of the chaotic map are not good measures for the performance 
evaluation of the TRNG Instead, the entropy-rate of the bit- 
generation process can be used to investigate the performance 
of any chaotic-map TRNG and post-processing algorithm. 
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